I am referring to the US. I have never received any actual proof that the theoretical separation of a datacenter from the mother US-based company will make it immune from the US' draconian surveillance laws, therefore I should assume that it's not trustworthy. Given past experience, I think this is a reasonable stance to take.
The GDPR isn't very topical here, because big conglomerates have been violating it since it's inception. Until the teeth have been enforced, we have to assume that a US company is not only shovelling all of your data to every government agency (which would happen even with the GDPR being followed, as you say) that blinks at them a few times but is also selling it to every marketing agency that is capable of paying.
I agree and can somewhat chime in. I am not a lawyer. I have spoken to folks that would be involved if we receive an NSL. We would obey the NSL regardless of GDPR. For standard legal requests, I am not sure of the current status of what we would do. AFAIK no U.S. company will risk disobeying the gag order and compliance aspects of a national security letter.
The GDPR isn't very topical here, because big conglomerates have been violating it since it's inception. Until the teeth have been enforced, we have to assume that a US company is not only shovelling all of your data to every government agency (which would happen even with the GDPR being followed, as you say) that blinks at them a few times but is also selling it to every marketing agency that is capable of paying.